OpenID, Attribute Exchange, SReg, python-openid and Google

23 April 2010   2 comments   Python, Web development

Powered by Fusion×

OpenID logo I've learned a couple of things this week on deploying my first site to use a user friendly OpenID.

My first revelation was when I realized that Google and Yahoo! have solved the usability stumbling block that you can use them as providers without having to know a personally unique URL. For example, for Yahoo! it's just which means that you don't need to offer a cryptic URL form and you can just show it as a logo image.

The second thing is that Google's hybrid OpenID + OAuth isn't as complicated as it sounds. It's basically a light extension to the OpenID "protocol" whereby you say, "while you're at it, also give me a OAuth token please so that I can connect back into Google's services later". What's important to understand though is that if you use this you need to know the "scope". scope is a URL to a service. Google Docs is a service for example and you need to search the web to figure out what the scope URL is for that service.

The third revelation was when I understood the difference between Simple Registration Extension (SREG) and Attribute Exchange (AX). Basically, AX is a newer more modern alternative and SREG was the first one. AX is better but some OpenID providers don't yet support it. Google for example, only supports AX. Key to be able to support not just Google's OpenID but any OpenID is that you can request both AX and SREG and whichever one works will be returned.

The fourth thing that helped a lot to understand was the Google's OpenID has a bug in its implementation of Attribute Exchange. Actually, perhaps it's a deliberate design choice they've made but in my opinion a bad one. Unless you say you require email, firstname, lastname, country etc. it won't return it. If you use the if_available directive you won't get it. Another bug/bad design choice is that Google seems to not forward the country attribute. It can happily do first- and last name but not country even if the documentation claims so.

The fifth thing is that python-openid is a lot easier to work with than you think. You don't need to do any crazy network checks or callbacks. For initiating the challenge all you're effectively doing is creating a long URL. If you don't like the API methods python openid offers, just add your own with:

redirect_url += '&' # etc.

After so many years since OpenID arrived, I'm only now excited about it. It's tonnes easier to implement than OAuth and now it's actually really pleasant to use as an end user.


Thank buddy, That was helpful for me.
Alex Quinn
Thanks a lot. Most helpful!

Your email will never ever be published

Related posts

Word Whomp solvers love Crosstips 22 April 2010
Spelling differences between British and American English 25 April 2010
Related by keywords:
An AngularJS directive with itself as the attribute 03 September 2014
Registration and sign-in by email verification 29 April 2013
Integrate BrowserID in a Tornado web app 22 November 2011
Bookmarklet to replace the current domain with localhost:8000 17 January 2010
The importance of the TITLE attribute 23 April 2008
My first Twitter app - 22 September 2009
More optimization of - CSS sprites 05 August 2009
iPhone push notifications for Twitter with Prowl 25 October 2009
The importance of being findable 15 April 2004
Careful when dealing with options in IE 14 April 2006
Yahoo! Inbound Links API 27 November 2005
The Search Engine Experiment 25 November 2005